发表新帖
发表新帖

Mysql + php with special characters like '(Apostrophe) and " (Quotation mark)

后端 未结
关注
7 550
礼貌的吻别
礼貌的吻别 2020-12-10 05:28

I have been struggling with a small problem for a while. It\'s been there for years but it\'s just been an irritating problem and not a serious one, and I have just worked a

相关标签:
7条回答
  • 清歌不尽
    2020-12-10 05:46

    Your sql string will be:

    INSERT INTO `table` (`row1`) VALUES ('google's site')

    Which is not a valid statement. As Nanne wrote, escape the string at least with mysql_real_escape_string : http://php.net/manual/en/function.mysql-real-escape-string.php

    And read about sql injection http://en.wikipedia.org/wiki/SQL_injection

    Think a bit: if someone posts this: $_POST['text'] with value: ');delete from table;....

    Your can say good bye to your data :)

    Always filter/escape input!

    EDIT: As of PHP 5.5.0 mysql_real_escape_string and the mysql extension are deprecated. Please use mysqli extension and mysqli::escape_string function instead

    0 讨论(0)
  • 庸人自扰
    2020-12-10 05:50

    Always at least use mysql_real_escape_string when adding user-provided values into the Database. You should look into binding parameters or mysqli so your query would become:

    INSERT INTO `table` (`row1`) VALUES (?)

    And ? would be replaced by the actual value after sanitizing the input.

    In your case use:

    $result = mysql_query("INSERT INTO `table` (`row1`) VALUES ('".mysql_real_escape_string($_POST['text'])."') ") or die(mysql_error());

    Read up on SQL Injection. It's worth doing right ASAP!

    0 讨论(0)
  • 忘了有多久
    2020-12-10 05:54

    I was also Struggling about characters when I was updating data in mysql.

    But I finally came to a better answer, Here is:

    $lastname = "$_POST["lastname"]"; //lastname is : O'Brian, Bran'storm

    And When you are going to update your database, the system will not update it unless you use the MySQL REAL Escape String. Here:

    $lastname = mysql_real_escape_string($_POST["lastname"]);  // This Works Always.

    Then you query will update certainly. 

    Example: mysql_query("UPDATE client SET lastname = '$lastname' where clientID = '%"); //This will update your data and provide you with security.

    For More Information, please check MYSQL_REAL_ESCAPE_STRING

    Hope This Helps

    0 讨论(0)
  • 囚心锁ツ
    2020-12-10 05:58

    Escape the string :D

    http://php.net/manual/en/function.mysql-real-escape-string.php

    0 讨论(0)
  • 孤街浪徒
    2020-12-10 06:05

    Just use prepared statements and you wouldn't have to worry about escaping or sql injection.

    $con = <"Your database connection">;
$input = "What's up?";
$stmt = $con->prepare("insert into `tablename` (`field`)values(?)");
$stmt->bind_param("s",$input);
$stmt->execute();
    0 讨论(0)
  • 佛祖请我去吃肉
    2020-12-10 06:08

    instead of using the old mysql* functions, use PDO and write parameterized queries - http://php.net/pdo

    0 讨论(0)
 看不清?
提交回复
热议问题